Stage 7
Governance Checks

Just because no-code allows for rapid, incremental updates does not give you a pass to ignore governance requirements. Proper technological governance is essential for maintaining security and governmental compliance at all times. The cost of skipping governance checks can have significant impacts on the business’s function — becoming noncompliant can result in fines, settlements, business disruption, productivity and revenue loss. Furthermore, the damage to a business’s reputation can be irreparable. So, as the proverb goes, “measure twice, cut once” to make sure the cut you are making is the one you want! Make sure you have thoroughly reviewed your application for governance requirements before releasing it into the wild!

Now, let’s begin by identifying and reviewing some of the more common types of governance you will encounter:

1. External compliance. Checklists to assess compliance with external laws, guidelines, or regulations imposed by external governments, industries, and organizations.

2. Internal compliance. Checklists imposed by internal audit teams or committees to enforce adherence to rules, regulations, and practices as defined by internal policies and access controls.

3. Security. Checklists to protect your corporate information resources from external or internal attacks.

4. Data governance. Checklists to assess how sensitive corporate data is managed and secured.

We’ll start by looking at external compliance reviews. These are reviews conducted by a designated entity to assess whether your application complies with the laws, guidelines, and regulations set by external governments, industries, and standards organizations. Usually, this will apply to applications that contain sensitive customer data, especially healthcare-related information or financial data (e.g., credit cards and bank accounts). The external auditor will usually work with someone in IT or Operations, so be sure to build time for these reviews during the Project Assignment stage.

The range of external compliance standards can be quite varied depending upon industry or geography. The following is not a complete list but provides a representative set of examples of compliance requirements that may be applicable to your application:

General Data Protection Regulation (GDPR)

If you are building an application that will be capturing and manipulating the personal contact information of European Union (EU) citizens (for example an application used by sales and marketing teams), you need your application to be approved by the Data Protection Officer.

Health Insurance Portability and Accountability Act (HIPAA)

If you are in the healthcare vertical and the application is touching patient-sensitive information, the no-code team should be working with a relevant approver who is ensuring that the appropriate data privacy and security regulations are being met.

Payment Card Industry Data Security Standard (PCI DSS)

If you are building an application that will be touching sensitive financial information like credit card data (e.g., customer case management application in financial services).

Know your customer (KYC) and antimoney laundering (AML)

If you are building an app where a financial institution will be onboarding new clients, you may be subject to regulations that require you to ensure that no monies you are receiving have come from criminal or terrorist activity. Your compliance officer will need to ensure that checks are performed to specifically verify the identity of your customers and investors together with their financial activities and any risks they may pose.

These are just some of the more common external standards or regulations that are specific to your industry. Some of these may apply at the platform or data center level (like SSAE 16) but not require being reviewed per individual application. In other cases, app-specific reviews may be required. So, it’s recommended you collaborate with IT, your IT security team, or with the CoE, if applicable, early to identify the relevant external governance checks that will be applicable to your app, when they must be performed, and begin planning early to prepare.

Internal compliance reviews develop an independent assessment of the effectiveness of an organization’s risk management, processes, and general governance. Unlike external compliance, these reviews are not mandated by an external entity or legislation. Instead, they are the organization’s own way of performing internal quality measurement and management. The goal is to collect accurate information internally about the team’s performance, governance, and risks.

Data governance is the final category of governance. Data governance is a defined approach to data and information management that is formalized within an organization as a set of policies and procedures. These governance checklists encompass the full life cycle of data — from acquisition, use, and disposal. Data governance checklists are essential to control how sensitive corporate data is managed and secured. This will include considerations on data governance, access rights, quality, and managing risks around data loss.

Many organizations have recently gone through initiatives to comply with the GDPR. While this is a regulation specific to the European Union, many global companies are using it as a framework to help drive better customer data management practices.

The no-code team will typically work with data owners and the data governance group to review how your organization’s data policies will impact the app they’re building. Such reviews are typically focused on security and privacy protection, data quality, access, sharing, dissemination, and security and risk management.

Regardless of the type of governance check, there are some common considerations and best practices to keep in mind:

Properly scoping the effort

Many of the governance checks (especially internal ones) may require varying levels of effort and time commitments based on the criticality of your application. Some apps may not require many reviews while others may need significant time investment. The exact scope and necessary governance checks should be defined using the Application Matrix during the Project Assignment stage. At that point, the no-code development team should engage the required roles for each type of check. Later, when you are preparing for the initial release, the no-code team should confirm that none of your iterations included new capabilities, have impacted the Governance complexity requirements. They can do this by applying the Application Matrix to the completed MVP app (as it has iterated).

Planning ahead

Once you’ve identified the applicable governance checks, then the no-code project team (usually supported by IT or the CoE) will work with an internal audit team or external auditor to perform the review. The frequency varies: most require annual certification, but others may be dictated on a different schedule. Reviewing for governance should not be an afterthought in the development process. While the final reviews for governance may need to wait until after the app is completed (near the end of the Go-Live Phase), you should have already scheduled required reviews and started collaborating with the designated approvers during the Project Assignment stage.

Early collaboration

One of the other benefits of scheduling governance early is that it facilitates very early collaboration with the appropriate approver stakeholders (typically in IT or Ops) to anticipate and mitigate significant issues. Ideally, you should proactively be consulting with the identified Governance team from the beginning of the Go-Live Phase, so that you streamline and reduce downstream issues found later in the lifecycle.